musig: API for adjustment factor

[oleganza]

Problem

Consider these use cases:

In a Predicate tree, a root P = X + h(X, other)·G can be used as a verification key instead of X, if the secret key x is adjusted with the commitment scalar h: x' = x + h. If X is a Multikey a0·x0 + a1·x1, then the root secret p = a0·x0 + a1·x1 + h.

In a Keytree, each child is similarly adjusted by a hash of a public key and a derivation key: Child = Parent + h(Parent, ParentDK)·G. If parent pubkey is a Multikey a0·x0 + a1·x1, then again, the child is adjusted with h: child = a0·x0 + a1·x1 + h.

In both cases we need to form a Multikey adjusted by a scalar known to all signers (in case of Keytree it's kept secret against non-signers).

The signature equation must be adjusted with that factor h accordingly:

c = transcript.challenge()
s = c·total_key + ∑r_i
  = c·(a0·x0 + a1·x1 + h) + (r0 + r1)
  = c·a0·x0 + c·a1·x1 + c·h + r0 + r1
  = (c·a0·x0 + r0) + (c·a1·x1 + r1) + c·h
  = s0 + s1 + c·h
  = ∑s_i + c·h

Suggestion

1. Add an adjustment_factor: Scalar parameter to Multikey.
2. Compute the total pubkey with addition of adjustment_factor*RISTRETTO_BASEPOINT_POINT. This is because this should match the adjusted public key visible to the verifier who commits it to the transcript.
3. When aggregating the signatures, verify shares without the adjustment factor, but when adding them, add the challenge*adjustment_factor.